You are here

Microsoft cloud leaks big—65% of US households at risk

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

Yet another cloud database with no security. And this one’s enormous.

This time, Microsoft was discovered hosting an 80 million-row, open database of US adults aged over 40. We still don’t know who owns the data, but some speculate shadow IT is to blame.

Obviously, Microsoft bears no responsibility whatsoever for this fantastic faux pas. The unprotected dataset is stuffed full of PII, and represents about 65% of US households.

Let that sink in for a moment: sixty-five percent. In this week’s Security Blogwatch, we’re fed up with feeling déjà vu.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: the Human League shuffle.

[ Understand what's driving the next-generation SOC with TechBeacon's guide. Plus: Download ESG's report on the state of cloud-based security analytics and operations ]

Azure ’ad enough yet?

What’s the craic? Laura Hautala claims a breathless “exclusive”—information on addresses, income levels, and marital status:

Addresses and demographic details of more than 80 million US households were exposed on an unsecured database stored on the cloud. … Unlike a hack, you don't need to break into a computer system to access an exposed database.

It's one more example of a widespread problem with cloud data storage. … Many organizations don't have the expertise to secure the data they keep on internet-connected servers.

The researchers … were unable to identify the owner of the database. [But] a Microsoft spokesperson [told me] "We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured."

Repeat after me: Never make your tables world-readable. Michael Simon says No one has any idea who's to blame:

Data breaches are almost always tied to a site, service, or subscription, which gives you some control over your fate. … But a new reported breach has seemingly exposed the personal information of some 80 million U.S. households—and no one seems to know who’s to blame.

There’s a lot we don’t know yet, but there’s enough evidence to suggest that the breach is incredibly widespread. [It] might not seem as dangerous as a social security or credit card number leak, but … hackers could use the information here in phishing and ransomware scams, as well as less-technical scams that track your social media to find out if you’re home.

Some sugar for the horse’s mouth? Noam Rotem, Ran Locar, and friends report an Unknown Data Breach:

Hosted by a Microsoft cloud server, the 24 GB database includes the number of people living in each household with their full names, their marital status, income bracket, age, and more. … The database seems to itemize households rather than individuals. It includes:
 
    • Full addresses …
    • Exact longitude and latitude
    • Full names …
    • Age
    • Date of birth
    • Title
    • Gender
    • Marital status
    • Income
    • Homeowner status
    • Dwelling type

We believe that it is the first time a breach of this size has included people’s names, addresses, and income. This open database is a goldmine for identity thieves and other attackers.

[We’re] currently undertaking a huge web mapping project. [We] use port scanning to examine known IP blocks. This reveals open holes in web systems, which [we] then examine for weaknesses and data leaks. … We then reach out to the database’s owner to report the leak. … This helps build a safer and more protected internet.

[But] unlike previous leaks we’ve discovered, this time we have no idea who this database belongs to. [We] suspect that the database is owned by an insurance, healthcare, or mortgage company.

Doesn’t anyone recognize the data? Günter Born swaddles the story—Huge data breach:

The researchers … don’t know exactly who is leaking that data. But they hope blogs can help spread the word.

A reader notified me … that it could be a database with a questionnaire of the US Census Authority – the structure of the database reflects their questions.

But it’s clearly been subsetted by age, as chispito and others note:

[It] only appears to include people ages forty and up. This seems to be the most interesting point in trying to figure out where the data originated.

Specifically? Rob Schoedel—@Pavitro23—suggests some possibilities:

The data fields look very similar to what many marketing list or "list broker" providers gather and sell. All the fields seem to fit except for "member code", but that could have a non-intuitive meaning within the context of the service.

e.g. ListGiant, InfoUSA.

Here we go again. Warren Rumak sighs:

There are hundreds of stories like this from the last 20 years.

Why? One reason: Because there are a lot of dumb and lazy programmers out there who leave ports exposed so they can work remotely without having to use a VPN or IPsec or whatever.

That dumbness persists, regardless of the technology stack.

But how does that happen in the cloud? Doctor Syntax is IN:

It's so they can avoid—and even better, get rid of—those obstructive **** in IT who make such a fuss about who can get access and the hoops they have to jump through to do it. So much easier just to put it in the cloud. The people who run the cloud don't complicate things like IT do.

The data centres are run by IT people. Their brief is to keep the stuff running, install new kit and swap out whatever's failed.

If a client thinks that this is all their in-house IT do … then maybe that's where the problem lies. … Ask yourself what stands between you and your businesses becoming the subject of the next of these reports.

Meanwhile, Shelton Koskie sounds fed up with the narrative:

This headline is getting old. Time for some legal action against negligent companies.

The moral of the story?

Shadow IT could be a far bigger problem than you first thought.

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]

And finally

Enjoy this video before some humorless record-company lawyer loses their ****


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Gerd Altmann (via Pixabay)

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]